Password requirements
Posted: May 14th, 2009 | Author: Adrian | Filed under: Good practices, Usability fail | Tags: fields, forms, login, passwords | 3 Comments »Let’s face it! People use the same passwords on every site where they need an account. More exactly their email and computer login password 
You’ll be amazed how many of the users have only one password. It’s a bad thing but that’s how it is.
A while ago a friend of mine wrote on his blog about sites which demand a certain number of chars, demand to use both numbers and letters and even one of the weird signs on the number keys. Putting a maximum limit on the number of chars is plain stupid.
Please! don’t make users come up with a different password than they already use. Chances are they already use a password with more than 6 chars (due to restrictions allover the place). If you make the user invent a password with #$%^, he’s going to forget it. Then, he would have to recover/reset it – things that generates errors and frustration.
So PLEASE LEAVE PASSWORDS ALONEEE!!!111
Adrian,
that’s good advice only if you are providing generic, personal, “harmless” services to your customers, like blogs and picture albums. Stuff that don’t impact revenue. Services that demand security need a stronger password policy.
Totally agree with you on this one, I hate sites that force me to include a mixture of numbers and uppercase letters as it makes it no more stronger if you already have a long password.
Yes a 6 letter (a-z) password is less secure than than a 6 letter (a-zA-Z0-9) password, but not as strong as a 10+ letter (a-z) one.
I’m personally just waiting for more sites to start asking for passphrases so that they become common enough that users understand them and don’t get confused.
@Jacob – Wrong, ‘newyorkcity’ is less secure than Pus9I34 in every way, teh first is not only open to dictionary attacks it also has fewer combinations.
@adrian – Putting a maximum limit on a pasword is not stupid, putting a vey small one is, but putting some sort of maximum on is sensible.
As for making users use different characters, tough, users are the first to complain if their account gets hacked, but then when a users use “1234″ or “password” for their accoutn what do they expect, unfortuantely some users need to be saved from their own stupidty.